Q&A: TK Maxx credit card fraud

Hackers have stolen information from at least 45.7 million payment cards used by customers of US retailer TJX, which owns TJ Maxx, and UK outlet TK Maxx.

BBC News explains how the fraud may have taken place and what you should do if you think you could have fallen victim.

Help, I shopped at TK Maxx. Could my details have been stolen?

It depends.

The cards details in question belong to US, UK, Irish and Puerto Rican customers of TK Maxx's parent company TJX.

The data was accessed on TJX's computer systems in Watford, Hertfordshire, and Framingham, Massachusetts over a 16-month period from July 2005 and covers transactions made by credit and debit cards dating as far back as December 2002.

I shopped at TK Maxx around that time - should I be worried?

TJX HACKING TIMELINE

18 December 2006 - TJX discovers the breach in security

Within days it hires outside investigators and notifies US federal authorities

19 January 2007 - Publicly admits the problem, but not the full extent

29 January 2007 - Reveals the full nature of the breach

Says data was first hacked in July 2005

Stolen bank card details date back to December 2002

Well, your card details may now be in the hands of fraudsters.

But there is a silver lining.

The UK's 138 million credit and debit cards have recently been replaced. The replacement programme has to do with the introduction of chip-and-pin card technology.

In effect, this means that three-quarters of the card details that were stolen are useless, because the physical card and number has already been replaced.

But this could still leave millions of consumer accounts potentially in the firing line.

I cannot remember if my card has been replaced. Is there anything I should do?

There are a number of things you need to do.

First check your bank statements, and look for any untoward transactions.

If you spot something unusual contact your bank immediately.

Banks have said that they believe fraudsters have already used some of the stolen card numbers.

The Association of Payment Clearing Services (Apacs), which represents the banking industry, has said that customers who have had money taken from their accounts will be refunded in full.

In addition, any bank charges which accrued due to a fraudulent transaction will also be refunded.

However, this may take some time as the bank will want to investigate the fraudulent transaction.

Why were my card details kept in the first place?

According to Robert Schifreen, a security consultant and former hacker, retailers like to keep customer details as a marketing exercise.

"Companies like to use data for sophisticated customer profiling," Mr Schifreen explained.

"For example, you may buy a pregnancy test kit from a retailer and then nine months later you will get an offer for nappies," he added.

However, Mastercard and Visa have agreements in place with retailers that they use such information securely.

The upshot is that the retailer is supposed to have security systems in place to ensure that card details cannot be accessed and then used by fraudsters.

What has happened in this instance?

Details at this stage are sketchy.

The company said it has fallen victim to hacking and that they do not have a full list of the card details stolen because the fraudsters have covered their tracks.

"Something of this magnitude is only achievable through a computer breach," Mr Schifreen said.

"This could be done through hacking or an internal breach. 45 million card details are not that hard to store. Such data would fit easily on a memory stick."

Who could have done this?

The smart money is on an organised group of fraudsters.

According to Sandra Quinn, a spokeswoman for Apacs, fraudsters tend to strike at the weakest part of a security chain. In this instance it seems to have been TJK.

"Unfortunately these issues crop up we have to fight to ensure everyone's data is safe," Ms Quinn said.

"Fraudsters will attack the weakest link, they will go for lowest hanging fruit. We don't know of a successful hack into a UK bank so retailers have to be especially vigilant," Ms Quinn added.

How can I better protect myself?

If shopping online only use companies you trust and card providers which offer no quibble refunds in cases of fraud.

According to Mr Schifreen you should only use sites which have SSL encryption, look for a padlock symbol in the bottom right of the screen.

As for offline transactions, exercise caution at all times.

The Cardwatch site, set up by Apacs to increase awareness of card fraud, calls on people to be vigilant.

Cardwatch advises consumers never to let cards out of sight and to check receipts and bank statement thoroughly.

What is more, they advise consumers to go to the drastic step of shredding all their card receipts.

Disturbingly, a card receipt is all a clever fraudster needs to reproduce a replica card.

You are most at risk when the fraudster can easily guess your card's personal identification number, or Pin.

Avoid using easily traceable facts about yourself - such as your date of birth - as your Pin.

In addition, you should have a different Pin for every card. It may be a pain to remember all the numbers, but it will make the job of the fraudster very difficult indeed.

Ultimately, though, no matter what protection you take you are relying on banks and retailers to fulfil their side of the bargain and keep your details safe.

What about protecting myself while using a cash machine?

The advice from security experts is clear.

If you suspect that the cash machine you are about to use has been tampered with in any way then walk away and report your suspicions to the bank or machine operator.

Common cash machine fraud includes using skimming devices, which copy card details, and miniature camera devices, which record cardholders' Pins.

Often fraudsters hover around cash machines, spying on users in a bid to capture their Pins.

Consumers are advised to cover the hand they are using to enter their Pin.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.